> Yes, they could serve you a MITM key, but it would be easily discoverable
Like a lot of things it boils down to your threat model. If the broker or a state are your adversary, it wouldn't need to be a general design feature to behave this way but it could instead target you at the time of key exchange. Not an implausible scenario for reporters and their sources, e.g.
Those folks are especially vulnerable because they might be led to believe claims of "end to end encryption". Put that together with those default settings and interception and impersonation can happen right under your nose.
Like a lot of things it boils down to your threat model. If the broker or a state are your adversary, it wouldn't need to be a general design feature to behave this way but it could instead target you at the time of key exchange. Not an implausible scenario for reporters and their sources, e.g.
Those folks are especially vulnerable because they might be led to believe claims of "end to end encryption". Put that together with those default settings and interception and impersonation can happen right under your nose.